Licensing
The KMIP feature requires that the StoreEver MSL2024/4048/8096 KMIP license be installed
before the feature can be enabled and configured.
Using application-managed encryption
Hardware encryption is turned off by default and is switched on by settings in your backup
application, where you also generate and supply the encryption key. Your backup application
must support hardware encryption for this feature to work. For a current list of suitable backup
software, see the BURA Data Agile Compatibility Matrix at
http://www.hpe.com/info/ebs
.
NOTE:
The tape library can only obtain encryption keys from one source. Using the encryption
kit will prevent application-managed encryption.
Encryption is primarily designed to protect the media once it is offline and to prevent it being
accessed from another machine. You will be able to read and append the encrypted media
without being prompted for a key as long as it is being accessed by the machine and application
that first encrypted it.
There are two main instances when you will need to know the key:
•
If you try to import the media to another machine or another instance of the backup application
•
If you are recovering your system after a disaster
NOTE:
Encryption with keys that are generated directly from passwords or passphrases might
be less secure than encryption using truly random keys. Your application should explain the
options and methods that are available. Please refer to your application's user documentation
for more information.
If you are unable to supply the key when requested to do so, neither you nor Hewlett Packard
Enterprise Support will be able to access the encrypted data.
This guarantees the security of your data, but also means that you must be careful in the
management of the encryption key used to generate the tape.
CAUTION:
You should keep a record or backup of your encryption keys and store them in a
secure place separate from the computer running the backup software.
For more information about AES encryption, encryption keys, and using hardware encryption
with your HPE Ultrium tape drive, see the White Papers on
http://www.hpe.com/info/enterprise/
docs
.
For detailed instructions about enabling encryption please refer to the documentation supplied
with your backup application or with the encryption kit. This will also highlight any default states,
for example when copying tapes, that might need to be changed when using encrypted tapes.
Logical libraries
You can configure a tape library with multiple tape drives into logical libraries. Each logical library
must contain at least one tape drive. Each logical library is configured independently, allowing
use by different backup applications and with different backup policies. For example, one logical
library could perform a backup operation for one department while the second logical library
restores data for another department. Or, one logical library could have encryption enabled while
another has encryption disabled. Data cartridges in one logical library cannot be shared with
other logical libraries.
All logical libraries have access to the mailslot if the mailslot is enabled. The tape library prohibits
a cartridge that was placed in the mailslot by one logical library from being moved into another
logical library. The library allows a cartridge that was placed in the mailslot by the operator to be
18
Features